On 9 December 2022 the Department for Digital, Culture, Media & Sport published a new voluntary Code of Practice (“COP”) for app store operators and app developers. The government will work with operators and developers to ensure adoption of the rules over a 9 month period. The Code is part of the government’s £2.6 billion National Cyber Security Strategy.
The COP includes eight principles, some of which are mandated already in existing legislation. The aim of the COP is to better protect consumers from malicious apps which can steal data and money. Responsibility for implementing the principles fall on App Store Operators, App Developers and Platform Developers who are defined in the COP as follows:
App Store Operators: “The persons or organisations responsible for operating the app store. The App Store Operator will have capability to add and remove apps. They will also decide on the requirements that apps will need to meet to be included in the app store, taking into account any legal requirements.”
App Developers: “Persons or organisations which create or maintain apps on the app store. App Developers are responsible for ensuring their app meets the requirements of the app store, as well as any legal requirements.”
Platform Developers: “Persons or organisations responsible for producing the operating system, default functionality and the interface that enables third parties to implement additional functionality, such as through apps.”
Business-to-business application programming interface providers are not required to comply with the Code.
The Principles set out in the COP are as follows:
Ensure only apps that met the code’s security and privacy baseline requirements are allowed on the app store.
Ensure apps adhere to baseline security and privacy requirements
Implement a vulnerability disclosure process
Keep apps updated to protect users
Provide important security and privacy information to users in an accessible way
Provide security and privacy guidance to Developers
Provide clear feedback to developers
Ensure appropriate steps are taken when a personal data breach arises.
As apps increasingly form part of our day to day life, the COP should help protect consumers from online threats. Developers and operators who adopt the COP will be able to declare they are following its principles on their website, app website or app store.
Paul Maddinson, NCSC Director of National Resilience and Strategy said:
“By signing up to this code of practice, developers and operators can demonstrate how they are delivery security as standard, as well as protect users from malicious actors and vulnerable apps”.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.